Tuesday 30 March 2010

Horrendous privacy fail

Quiptxt.com had a really popular iPhone app that let users send pics of themselves to other users via their servers. Except these pics were supposedly made 'private' by the following genius algorithm:
  1. Save image in a URL thusly: http://pic.quiptxt.com/[arbit 5 characters]
  2. Don't tell anybody else about it
So basically, anyone could just go to any random pic.quiptxt.com/[5 chars] and chances were pretty good that you'd end up seeing a photo someone sent to someone else. Which was thought to be private, hence was pretty much uninhibited.

Folks on Reddit found this out, and quickly whipped up a script that scraped all the images off that site, and found out one more really interesting thing - the site stored the users' real name along with the pics. This spurred on the hundreds of thousands of jobless intarwebs folks to neatly cross-reference these names with profile pages on Facebook and Myspace. So now junta could, if they were so inclined to (and many were), put a face to the dirtybits in the photos.

Moral of the story: If you don't want your pictures of a 'questionable' nature ending up in undesirable places, do not send them across the Internet. If you must, then verify a few hundred times that it is truly private, then ask your friendly TRUSTY neighbourhood geek to do the same. Then think again a few hundred times if you truly wouldn't mind if the picture(s) ended up in places you didn't really intend it to. After all this, consider the downside of that scenario happening. If you (think you can) can live with it, or shrug it off, or ride it out, then go ahead and hit 'Send'. If you think it won't really matter some time in the future, you are being stupid. At best.